This document describes how to configure the syslog settings in order to log the events to an external server in the Cisco Network Admission Control (NAC) Appliance, formerly known as Cisco Clean Access (CA).

The information in this document is based on the Cisco NAC Appliance that runs software version 4.0 and later.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

These navigation links page through the event log. The most recent events appear first in the Events column. The Last link shows you the oldest events in the log. A maximum of 25 entries is displayed on a page.

Column

Click a column heading , such as Type or Category, in order to sort the Event log by that column.

After the desired search criteria is chosen, click View in order to display the results.

Reset View

If you click Reset View, it restores the default view, in which logs within one day are displayed.

Delete

If you click Delete, it removes the events filtered through the search criteria across the number of applicable pages. Delete removes filtered events from Clean Access Manager storage. Otherwise, the event log persists through system shutdown. Use the filter event indicator shown in Figure 1 in order to view the total number of filtered events that are subject to deletion.

Indicates the module or system component that initiated the log event. For a list, refer to Category under the Search criteria section. Note that, by default, system statistics are generated every hour for each Clean Access Server that is managed by the Clean Access Manager.

Time

Displays the date and time (hh:mm:ss) of the event, with the most recent events first in the list.

Event

Displays the event for the module, with the most recent events listed first. See Table 2 - Event Column Fields for an example of a Clean Access Server event.

1. Authentication-type entries can include the item “Provider: <provider type>, Access point: N/A, Network: N/A.” In order to continue to provide support for the end-of-life (EOL) legacy wireless client, if present and pre-configured in the Manager, the “Access point: N/A, Network: N/A” fields provide access point (AP) MAC and service set identifier (SSID) information respectively for the legacy client.

Load factor indicates the number of packets that wait to be processed by the Clean Access Server, that is, the current load that is handled by the CAS. When the load factor grows, it is an indication that packets wait in the queue to be processed. If the load factor exceeds 500 for any consistent period of time, such as five minutes, this indicates that the Clean Access Server has a steady high load of inbound traffic/packets. Be concerned if this number increases to 500 or higher.

(max since reboot: <n>)

The maximum number of packets in the queue at any one time. In other words, the maximum load handled by the Clean Access Server.

Mem Total: 261095424 bytes

These are the memory usage statistics. There are six numbers shown here:

total memory

used memory

free memory

shared memory

buffer memory

cached memory

Used: 246120448 bytes

Free: 14974976 bytes

Shared: 212992 bytes

Buffers: 53051392 bytes

Cached: 106442752 bytes

CPU User: 0%

These numbers indicate CPU processor load on the hardware, in percentages. These four numbers indicate time spent by the system in user, nice, system, and idle processes.

Note: Time spent by the CPU in system process is typically greater than 90 percent on a Clean Access Server. This indicates a healthy system.

The event log threshold is the number of events to be stored in the Clean Access Manager database. The maximum number of log events kept on the CAM, by default, is 100,000. You can specify an event log threshold of up to 200,000 entries to be stored in the CAM database at a time. The event log is a circular log. The oldest entries are overwritten when the log passes the event log threshold.

System statistics are generated every hour, by default, for each Clean Access Server that is managed by the Clean Access Manager. By default, event logs are written to the CAM. You can redirect CAM event logs to another server, such as your own syslog server.

Additionally, you can configure how often you want the CAM to log system status information. In order to do this, set the value in the Syslog Health Log Interval field. The default is 60 minutes.

In order to configure Syslog logging:

Choose Monitoring > Event Logs > Syslog Settings.

Enter the IP address of the syslog server in the Syslog Server Address field. The default is 127.0.0.1.

Enter the port for the syslog server in the Syslog Server Port field. The default is 514.

Enter how often you want the CAM to log system status information, in minutes, in the System Health Log Interval field. The default is 60 minutes. This setting determines how frequently CAS statistics are logged in the event log.

Click Update in order to save your changes.

Note: After you set up your syslog server in the CAM, you can test your configuration. In order to do this, log off and log back into the CAM admin console. This generates a syslog event. If the CAM event is not seen on your syslog server, make sure that the syslog server receives user datagram protocol (UDP) 514 packets and that they are not blocked elsewhere on your network.

Note: Configuring multiple syslog servers is not possible as it is not supported. You can only forward to one syslog server.

2. Switch Management events for notifications received by the CAM from switches are written only to the logs on the file system (/perfigo/logs/perfigo-log0.log.0). Furthermore, these events are written to disk only when the log level is set to INFO or finer.